OMG – Mirai Minions are Wicked

Executive Summary

Mirai, seen as revolutionary for malware that targets the Internet of Things (IoT), has wrought destruction around the globe and popularized IoT based malware. Mirai was utilized by attackers to launch multiple high-profile, high-impact DDoS attacks against various Internet properties and services in 20161. Since the release of Mirai’s source code, IoT botnet authors have used it as a framework to build new malware. Authors have expanded the original Mirai code base with new capabilities and functionality while making some improvements.

In this blog post we’ll delve into four Mirai variants; Satori, JenX, OMG and Wicked, in which the authors have built upon Mirai and added their own flair. Satori leveraged remote code injection exploits to enhance the Mirai code, while JenX removed several features from the code and instead relies on external tools for scanning and exploitation.

OMG was also added to the Mirai legacy. OMG adds a novel feature in the form of an HTTP and SOCKS proxy. These proxy features enable the infected IoT device to act as a pivot point. The bot author now has the flexibility to launch additional scans for new vulnerabilities, or additional attacks without having to update the original binary. Depending on the type of IoT device, and how its connected, the bot author can pivot to private networks which are connected to the infected IoT device.

The latest minion to hit the scene is Wicked. Wicked’s flair is the ability to target Netgear routers and CCTV-DVR devices which are vulnerable to remote code execution (RCE) flaws. Within the RCE exploit, Wicked would include instructions to download and execute a copy of the Owari bot. Often, the scanning and exploitation of devices can be automated, resulting in any susceptible devices becoming part of the botnet.

Key Findings

The JenX bot evolved from Mirai to include similar coding, and eliminated the scanning and exploitation capabilities.

OMG bot, a recent entrant to the IoT malware scene, capitalizes on the Mirai source code and expands it to add HTTP and SOCKS proxy capabilities.

Wicked, the latest Mirai minion, leverages RCE flaws to infect Netgear routers and CCTV-DVR devices. When vulnerable devices are found, a copy of the Owari bot is downloaded and executed.

IoT Summary

IoT covers a wide range of devices, including (but not limited to):

IP base cameras

cable/DSL modems

DVR systems

medical devices

Any embedded device that runs an operating system and has networking ability (send/receive data over a network) can be considered an IoT device. IoT devices quickly go to market and have low costs. These factors lend them to suffer from the most basic types of vulnerabilities. Vulnerabilities including:

hard code/default credentials

buffer overflows

command injection

Most consumer IoT devices contain these types of vulnerabilities. When patches are released to address these issues, they are rarely applied. Typically, a consumer plugs in an IoT device and never contemplates the security aspect, or perhaps does not understand the necessity of applying regular security updates and patches. With nearly 27 billion connected devices in 2017 rising to 125 billion by 2030, according to new analysis from IHS Markit2, they make an extremely attractive target for malware authors.

IoT Malware

In the latter half of 2016, a high-visibility DDoS attack against a DNS hoster/provider was observed, which affected a number of major online properties. The malware responsible for this attack, among others, was Mirai.

Mirai built its massive infrastructure by using a telnet brute force password attack against IP cameras and home routers. The credential list used by Mirai consisted of factory default credentials. On September 30, 2016 the source code for Mirai was published. Since then the Mirai source code has been a major influence on a slew of recent IoT based botnets (explained in detail below):

Satori

JenX

OMG

Wicked

Satori Overview

NETSCOUT Arbor saw several variants of Satori in the wild from December 2017 through January 2018. Each of these variants used Mirai as its foundation. Variant 2 (977534e59c72dafd0160457d802f693d) used the default credential scanning while variant 3 (440af2606c5dc475c9a2a780e086d665ca203f01) added the use of two remote code exploits. Variant 4 (9c677dd17279a43325556ec5662feba0) made the biggest splash as it was the first IoT bot to target the ARC architecture.

For this example, we’ll focus on Satori variant 3. The 3rd variant of Satori uses the same configuration table as Mirai (Figure 1 & Figure 2). Variant 3 also uses the same string obscuration technique as Mirai and simply modifies the XOR key to “0x07”. These same features can be found in OMG. In the case of OMG the author utilizes the XOR key of “deadbeef,” as we’ll see later. The XOR key of “deadbeef” is the original key from the Mirai source code.

Figure 1: Satori configuration table (table_init) function

Figure 2: Mirai configuration table (table_init) function

We see the author expanding on Mirai source code to include different exploits such as the Huawei Home Gateway exploit as show in Figure 3.

Figure 3: Huawei Home Gateway Exploit

The SHA1 for the Satori variant 3 sample referenced above was 440af2606c5dc475c9a2a780e086d665ca203f01 and was first submitted to Virus Total on 12/05/2017.

JenX Overview

JenX is another example of an IoT botnet where the underlying code originates with Mirai. JenX includes several of the Mirai’s DDoS capabilities, uses the same configuration table, and includes the same string obfuscation technique. Figure 4 and Figure 5 is a comparison between the attack_udp_generic attack code in JenX and Mirai. OMG shares several similarities with JenX, but one area OMG differs is the use of the HTTP DDoS attack which originated from Mirai. The HTTP DDoS attack has been removed from JenX, but is still available in OMG.

Figure 4: attack_udp_generic DoS Attack JenX

Figure 5: attack_udp_generic DoS Attack Mira

Instead of storing the C2 in the configuration table like Mirai, JenX chooses to hard code the IP address of the CNC as shown in Figure 6.

Figure 6: resolve_cnc_addr Function

Notably, JenX removed the scanning and exploitation functions. A separate system handles this functionality, which is major departure from Mirai, Satori, and OMG. Currently, it appears JenX only focuses on DDoS attacks against players of the video game Grand Theft Auto San Andreas, which has been noted by other researchers.

The SHA1 for the JenX sample referenced above was 5008b4a7048ee0a013465803f02cb9c4bffe9b02 and was first submitted to Virus Total on 02/01/2018.

OMG Overview

One of the most interesting Mirai spawns is the OMG botnet. As with the other botnets discussed, OMG uses Mirai as its framework and supports all of the functionality in Mirai. What makes OMG stand out is how the author expanded the Mirai code to include a proxy server. OMG incorporates 3proxy, which allows it to enable a SOCKS and HTTP proxy server on the infected IoT device. With these two features, the bot author can proxy any traffic of its choosing through the infected IoT device. Including additional scans for new vulnerabilities, launching additional attacks, or pivot from the infected IoT device to other networks which are connected to the device.

OMG leverages the same type of configuration table as Mirai, Satori, and JenX to enable or disable iptables rules, which allows access to the proxy servers. OMG adds two new entries into the configuration table to handle adding and removing iptables rules (Figure 7).

Figure 7: OMG configuration table (table_init) function

Figure 8 is a snippet of the obfuscated iptables command referenced by the configuration table above. Using an XOR key of “deadbeef” we can retrieve the deobfuscated iptables command (Figure 9).

Figure 8: OMG XOR’ed iptables command

Figure 9: OMG deobfuscated iptables command

Figure 10 is the function that controls the iptables rules. The command retrieve is used to access the configuration table values (Figure 7).

Figure 10: OMG iptables function

As shown in the figures above, the author of OMG has expanded on the original Mirai source code to handle the new proxy functionality.

The SHA1 for the OMG sample referenced above was 0ed366c1af749cbda25ff396f28a6b7342d5dcd9 and was first submitted to Virus Total on 1/15/2018.

Wicked Overview

Wicked is the latest Mirai minion to rear its ugly head. Similar to Satori variant 3, Wicked trades in Mirai’s credential scanning function for its own RCE scanner. Wicked’s RCE scanner targets Netgear routers and CCTV-DVR devices. Figure 11 is an excerpt of the scanner function in which the RCE payloads are defined.

Figure 11: RCE exploits

Wicked continues with the long-standing tradition of using Mirai’s string obfuscation technique. As with the minions before it, Wicked also switches the XOR key from “0xdeadbeef”. As shown in Figure 12, we see the obfuscated strings ending in “0x37”. It’s a good indication that Wicked is using “0x37” as the XOR key, as C character strings should be null terminated.

Figure 12: Wicked’s obfuscated strings

Using the XOR key of “0x37”, we can decode the obfuscated strings. While reviewing the decoded strings the following ASCII art was found:

NOTE: Satori, JenX, and Wicked support the same DDoS capabilities, except for the HTTP attacks.

Mirai DDoS Defense

All relevant network infrastructure, host/application/service, and DNS Best Current Practices (BCPs) should be implemented by network operators with public-facing network infrastructure and/or Internet properties. Organizations that use NETSCOUT Arbor SP may ingest flow telemetry (e.g., NetFlow, IPFIX,s/Flow, cflowd/jflow, Netstream, et. al.) into the appliance, which provides the ability to detect, classify, and traceback DDoS attack traffic.

Flow telemetry is used to identify IP addresses of the attacking IoT devices and the attack type(s) used. If the attacker is using non-spoofed DDoS attacks, the IP addresses of the attacking IOT devices can be blocked using Black-/White-lists on NETSCOUT Arbor APS/TMS.

Conclusion

Using Mirai as a framework, botnet authors can quickly add in new exploits and functionally, thus dramatically decreasing the development time for botnets. The Mirai source is not limited to only DDoS attacks. A variant of Satori was discovered which attacks Ethereum mining clients3. As seen with the four samples covered above, botnet authors are already using the Mirai source code as their building blocks. As the explosion of IoT devices does not look to be slowing down, we believe we’ll continue to see increases in IoT botnets. We are likely to see remnants of Mirai live on in these new botnets as well.

Malware authors will continue to leverage IoT based malware in automated fashion, quickly increasing the botnet size through worm-like spreading, network proxy functionality, and automated exploitation of vulnerabilities in internet facing devices. It is important for organizations to apply proper patching, updates, and DDoS mitigation strategies to defend their organizations.

Subscribe to this blog

First Name*

Last Name*

Company*

Email*

Phone

This field is for validation purposes and should be left unchanged.

Asert

Arbor’s Security Engineering & Response Team (ASERT) delivers world-class network security research and analysis for the benefit of today’s enterprise and network operators. ASERT engineers and researchers are part of an elite group of institutions that are referred to as ‘super remediators’ and represent the best in information security. ASERT has both visibility and remediation capabilities at nearly every tier one operator and a majority of service provider networks globally.

ASERT shares operationally viable intelligence with hundreds of international Computer Emergency Response Teams (CERTs) and with thousands of network operators via in-band security content feeds. ASERT also operates the world’s largest distributed honeynet, actively monitoring Internet threats around the clock and around the globe.

Arbor Networks has collaborated with Jigsaw (formerly Google Ideas) to create a data visualization that shows how Distributed Denial of Service (DDoS) attacks have become a global problem. The data is updated daily from Arbor’s global network of sensors and can be viewed at www.digitalattackmap.com